b'              U.S. GeNnrut SrRvrcrs AplttNlstnertoru\n              Office of Inspector General\n\n\n\n\nMarch6,2007\n\nMEMORANDUMFORJAMESA. WILLIAMS\n             COMMISSIONER\n                                                              (Q)\n                                                          SERVICE\n                      n-,,\' i; "t .****\n                      ryt           faY*tIoN\nFROM:                               MCGOWAN\n                      G\\I&bIDOLYNruSi\n                            ASSISTANTINSPECTORGENERALFOR\n                      TNFORMATIONTECHNOLOGYAUDITS (JA-T)\n\n                      fr*lrrU /tuf#".\n                      KENNETHL. CROMPTON\n                      DEPUTYASSISTANTINSPECTORGENERALFOR\n                      ACQUISITIONAUDITS (JA-A)\n\nSUBJECT:                                  GSA\'SELECTRONIC\n                      REVIEWOF EOFFER/EMOD.\n                      CONTRACTPROPOSALAND MODIFICATIONSYSTEM\n                                          lTlP07002\n                      REPORTNUMBERA060149/Q\n\nThe attachedsubject audit report presentsthe results of our review of GSA\'s system for\nelectroniccontractproposaland modification--eOffer/eMod.  Thesetwo importantweb-based\napplicationswerelaunchedin mid-2004andcurrently   allow companies  to electronicallyprepare,\nsubmit, and modiff contract proposalsfor select Multiple Award Schedules.Our review\nidentifiesareaswhereimprovementsareneededto ensuresuccessfuloperationsfor the system,\nincludingachievementof FAS goalsto createan interactive,secureeleatronicenvironmentthat\nsimplifiesthe contractingprocess.We met with your staff on December2I, 2006to discuss\nissuesraised during this review including low systemutilization rates and weaknesses   with\nimportantmanagerial,operational,  and technicalcontrols,including system  security controls.\nYou have concurredwith our findings and recommendations    for improving eOffer/eMod,and\nhave noted improvementactions underway. This report includes a ManagementResponse\nsection, which summarizesyour written commentsto the draft report and a copy of the\ncomments   you\'veprovidedis includedin AppendixB.\n\nIn accordancewith GSA Order ADM P 2030.2C,a time-phasedaction plan to specifically\naddressthe reportrecommendations   andthe Management DecisionRecordis requiredwithin 60\ndays of the report date. The time-phasedaction plan and completedSection B of the\nManagementDecision Record should be submittedto the Assistant InspectorGeneralfor\nAuditing (JA), with a copyto the Audit Follow-upandEvaluationBranch(BECA).\n\nIt is importantthat the final actionsand all managementdecisionsrespondingto the report be\ncompletedwithin 12 monthsof the audit report issuedate. Otherwise,the Office of Inspector\nGeneralmust identify in its SemiannualReportto Congressthe matterson which final actions\n                   24118th StreetS.,CS4,Suite 607,Arlington, VA 22202-3402\n                                             D*\n                        FederalRerycling Program         rri"t"a on RerycledPaoer\n                                                   {r!\n\x0chavenot beencompletedwithin this timeframe. As such,to the maximumextentpossible,your\ntime-phasedactionplan shouldscheduleactionsto be completedwithin 12 monthsof the report\nissuedate. To help us improveour customerservice,we have attacheda CustomerSatisfaction\nSurveydevelopedto obtain feedbackregardinghow the report and relatedaudit servicesmeet\ncustomerexpectations.We requestthat the primaryuserof this reportcompletethe questionnaire\nandreturnit to the Director,Audit OperationsStaff (JAO) in the envelopeprovided. I appreciate\nthe courtesiesand assistanceprovidedby you and your staff during our review. Shouldyou have\nany  questions,or if you would like to discussany aspectof the report in greaterdetail, please\ncontactme or DonnaPeterson-Jones,   Audit Manager,on (703) 308-1223.\n\nAttachments\n\x0c REVIEW OF EOFFER/EMOD,GSA\'SELECTRONIC\nCONTRACTPROPOSALAND MODIFICATION SYSTEM\n     REPORTNUMBER A060149/Q/TIP07002\n\x0c              U.S. GeNener Snnvrcrs AunalMsrnattoN\n              Office of Inspector General\n\n\n\nDate:         March6,2007\n\nReplyto       DeputyAssistantInspectorGeneralfor\nAttn of:      InformationTechnologyAudits (JA-T)\n\n              DeputyAssistantInspectorGeneralfor\n              AcquisitionAudits (JA-A)\n\nTo:           JamesA. Williams\n              Commissioner, FederalAcquisitionService(Q)\n\nSubject:                          GSA\'sElectronic\n              Reviewof eOffer/eMod,\n                             and\n              ContractProposal  ModificationSystem\n              ReportNumberA060149/Q lTlP07002\n\nThis report presentsthe results of our review of the eOfferieMod web-based applications that\nallow companies to electronically prepare and submit contract proposals and contract\nmodifications under the General Services Administration\'s Multiple Award Schedules(MAS)\nprogram.\n\nThe General Services Administration launched eOffer and eMod as the paperless means to\nstreamline the contract award and modification process in May and July of 2004, respectively.\nOur review found that both proposals and modification requests for MAS contracts are still\nprimarily being submitted on paper rather than electronically through eOffer/eMod. Though the\nnumber of electronic offers and modifications submitted by vendors has increasedover the last\nthree years, overall utilization rates for these two important web applications remain low.\nAlthough one goal for eOffer was to reduce the amount of time involved in making contract\nawards, contract awards made through electronic offers are taking longer to processthan awards\nmade on paper offers. Specific performance measures for eOffer/eMod needed to assess\ncustomer satisfaction or overall system performance have not yet been established. Currently,\njustification and important planning information for eOffer/eMod is contained in the Fiscal Year\n 2004-2007 Exhibit 300 businesscasesfor the Federal Supply Service-l9 system. We also\n identified that specific web application security risks were not adequately considered prior to\n system deployment. While specific technical security controls have improved, security\n management for eOffer/eMod needs to be strengthenedin response to the reported security\n vulnerabilities. Specifically,a comprehensiveCertification and Accreditationprocessto verify\n the adequacyof system security controls for eOffer/eMod and e-authenticationrisk assessment\n activities are not yet completed. Immediate attention to each of these risk areas is needed to\n improve usagerates, system functionality, and security for system resources. Written comments\n provided by your office have been included in their entirety in Appendix B.\n\n\n\n\n                    241 18th StreetS.,CS4,Suite 607,Arlington, VA 22202-3402\n\n                          F\'ederalRerycling Program\n                                                      @   Printed on RecycledPaper\n\x0cThis audit approachwas an integratedplanningandreportingeffort betweenthe JA-T andJA-A\naudit offices. I wish to expressmy appreciationto all of your staff and other personswho\ncooperatedduring the audit. If you have any questions,pleasecontact me or Gwendolyn\nMcGowan,the DeputyAssistantInspectorGeneralfor InformationTechnologyAudits, on 703-\n308-1223or Kenneth L. Crompton,the Deputy AssistantInspectorGeneralfor Acquisition\nAudits,on 703-603-01 89.\ncN, 0 0f          n-\n      f, k),trw*Ptvtr\n\\C0TrlAo,\nDonnaP.Peterson-Johes\nAudit Manager\nInformationTechnologyAudit Office (JA-T)\n\x0c                    REVIEW OF EOFFER/EMOD, GSA\xe2\x80\x99S ELECTRONIC\n                  CONTRACT PROPOSAL AND MODIFICATION SYSTEM\n                        REPORT NUMBER A060149/Q/T/P07002\n\n                                           TABLE OF CONTENTS\n\nEXECUTIVE SUMMARY ............................................................................................i\n\nINTRODUCTION ..........................................................................................................1\n\n        Objectives, Scope, and Methodology ...................................................................2\n\nRESULTS OF AUDIT ...................................................................................................4\n\n        Utilization of eOffer/eMod Remains Low ............................................................4\n\n        Reduced Time for Processing Contract Awards\n        May Not Be Achieved with eOffer .......................................................................7\n\n        System Specific Performance Goals and Measures Needed.................................8\n\n        Continued Improvements Needed to Maintain System Security ..........................9\n\n            Key Security Steps Not Completed ..................................................................9\n\n            Web Application Security Controls Not Adequately Considered ....................10\n\nCONCLUSION...............................................................................................................11\n\nRECOMMENDATIONS................................................................................................11\n\nMANAGEMENT RESPONSE ......................................................................................12\n\nINTERNAL CONTROLS ..............................................................................................12\n\nAPPENDICES\n\n        eOffer/eMod Timeline of Select Activities...........................................................A-1\n\n       GSA FAS Response to Draft Report .....................................................................B-1\n\n       Report Distribution ................................................................................................C-1\n\x0c                    REVIEW OF EOFFER/EMOD, GSA\xe2\x80\x99S ELECTRONIC\n                  CONTRACT PROPOSAL AND MODIFICATION SYSTEM\n                        REPORT NUMBER A060149/Q/T/P07002\n\n                                   EXECUTIVE SUMMARY\n\nPurpose\n\nUnder the General Services Administration\xe2\x80\x99s (GSA) Schedules Program, GSA establishes long-\nterm government wide contracts that allow customers to acquire a vast array of supplies and\nservices directly from commercial suppliers. To become a GSA Schedule contractor, a vendor\nmust first submit an offer in response to the applicable solicitation. eOffer is a web-based\napplication that allows companies to electronically prepare and submit a contract proposal to the\nMultiple Award Schedules (MAS) program. eMod is a web-based application that allows MAS\ncontractors to electronically prepare and submit modifications for existing MAS contracts. The\nobjective of this review was to determine: Are eOffer/eMod realizing expected benefits,\nincluding delivery of functional, managerial, and user requirements for the system? Have\nsufficient security controls been designed and implemented with eOffer/eMod? If not, what\nimprovements are needed to better manage risk with the system?\n\nThe GSA Federal Supply Service (FSS) and the Federal Technology Service has reorganized and\nthe two services have been merged into the new Federal Acquisition Service (FAS), effective\nOctober 12, 2006. This report addresses findings and recommendations to the Commissioner of\nFAS for improving eOffer/eMod.\n\nBackground\n\nThe eOffer/eMod web-based applications allow companies to electronically prepare and submit\ncontract proposals (offers) and current MAS contract holders to prepare and submit contract\nmodifications. The purpose of eOffer is to create an interactive, secure electronic environment\nthat simplifies the contracting process from submission of proposal to award of contract. The\npurpose of eMod is to streamline and expedite the modification process and to create an\nelectronic modification file.         Both applications can be accessed via the web at\nhttp://eoffer.gsa.gov. Vendors submitting offers and/or modifications are able to sign\nelectronically using digital certificates to create a legally binding electronic contract. Currently,\neOffer is available for use on five Multiple Award Schedules: Schedule 70 (Information\nTechnology), Schedule 520 (Financial and Business Solutions), Schedule 541 (Advertising and\nIntegrated Marketing Solutions), Schedule 871 (Professional Engineering Services), and\nSchedule 874 (Mission Oriented Business Integrated Services). Contracting officers/contract\nspecialists (contract professionals) access electronic offers (e-offers) submitted by vendors via\nthe Offer Registration System, a module of FSS-19. eMod is used by MAS vendors to make\nmodifications to their existing contracts and covers all types of MAS contracts. The electronic\nmodifications submitted by vendors are accessed by contract professionals via a module of the\nFSS-19 system. The three GSA acquisition centers that accept e-offers include: the IT\nAcquisition Center \xe2\x80\x93 Arlington, VA; the Services Acquisition Center \xe2\x80\x93 Arlington, VA; and the\nManagement Services Center \xe2\x80\x93 Auburn, WA.\n\n\n\n                                                  i\n\x0cThe E-Government Act of 2002 requires Federal agencies to implement electronic signature\ncapability for secure electronic transactions with the government via the E-Authentication\ninitiative. This initiative is intended to provide the critical service of determining that\nindividuals are who they claim to be when conducting electronic transactions with the Federal\nGovernment by leveraging existing identity credentials. The initiative is intended to help\nminimize redundant solutions for the verification of identity and electronic signature\nrequirements for electronic transactions across government. eOffer/eMod is the first system\nwithin GSA to use the E-Authentication framework. The GSA Office of Inspector General\nconducted a review of the E-Authentication initiative in Fiscal Year (FY) 20041. A timeline of\nother select eOffer/eMod related activities is provided in Appendix A.\n\nResults-in-Brief\n\nGSA launched eOffer and eMod as the paperless means to streamline the contract award and\nmodification process in May and July of FY 2004, respectively. However, both proposals and\nmodification requests for MAS contracts are still primarily being submitted on paper rather than\nelectronically through eOffer/eMod. Though the number of electronic offers and modifications\nsubmitted by vendors has increased over the last three years, overall utilization rates for these\ntwo important web applications remain low. One of the goals for eOffer is to reduce the amount\nof time involved in making contract awards. Contrary to expected system benefits associated\nwith streamlined contract award processes, contract awards made on electronic offers are taking\nlonger to process than awards made on paper offers. Currently, justification and important\nplanning information for eOffer/eMod is contained in the FY 2004-2007 Exhibit 300 business\ncases for the FSS-19 system. However, specific performance measures for eOffer/eMod needed\nto assess customer satisfaction or overall system performance have not yet been established. Our\nreview found that specific web application security risks were not adequately considered prior to\nsystem deployment. While specific technical security controls have improved, security\nmanagement for eOffer/eMod needs to be strengthened in response to the reported security\nvulnerabilities. Specifically, a comprehensive Certification and Accreditation (C&A) process to\nverify the adequacy of system security controls for eOffer/eMod and e-authentication risk\nassessment activities are not yet completed. Immediate attention to each of these risk areas is\nneeded to improve usage rates, system functionality, and security for system resources, including\nsensitive data maintained in eOffer/eMod. Taking necessary and important steps to ensure\nimprovements with eOffer/eMod at this time is critical to assist GSA in ongoing efforts to reduce\ncontract award cycle times for the MAS program.\n\nRecommendations\n\nWe recommend that the Commissioner, Federal Acquisition Service, with the assistance of\nappropriate personnel responsible for eOffer/eMod, take the following actions:\n\n    1. Closely analyze eOffer/eMod usage rates and develop strategies to address the causes of\n       low usage.\n\n\n1\n Review of Federal Technology Service E-Authentication Initiative Report Number A040039/O/T/F04018,\nSeptember 30, 2004.\n\n\n                                                     ii\n\x0c   2. Address system and process concerns raised by contract professionals to improve\n      electronic offer processing times and ensure that the system addresses evolving agency\n      needs and requirements.\n\n   3. Develop an eOffer/eMod business case or update the FSS-19 business case to include\n      system specific performance goals and measures for monitoring actual performance\n      compared to expected results.\n\n   4. Ensure that system security controls are maintained to include:\n         a. Completion of the eOffer/eMod Certification and Accreditation (C&A) in\n             accordance with GSA CIO IT Security Policy and procedures.\n         b. Documentation for key security decisions and processes related to the system.\n         c. Development of a proactive approach for identifying and addressing web\n             application security weaknesses.\n\n\nManagement Response\n\nWe met with Federal Acquisition Service (FAS) personnel responsible for eOffer/eMod,\nincluding the Director of the Contract Management Center (FXC) and the FAS Chief\nInformation Officer to discuss the results of our review and received updated information prior to\nissuing the draft report. We have also received written comments from the Commissioner of\nFAS, which are provided in Appendix B. We have carefully considered all comments provided\nby FAS with this report and the FAS Commissioner has concurred with the findings and\nrecommendations presented. Written comments provided by the FAS Commissioner indicate\nthat FAS will take actions aimed at addressing the risk areas identified for this system. Ongoing\nor planned management actions to address risks include FAS: (1) embarking on corrective\nstrategies, including monitoring use, obtaining customer feedback, and increasing employee\ntraining, (2) improving the communication process between systems personnel and the\nacquisition centers, (3) developing a business case to determine appropriate shared performance\nmeasures for eOffer/eMod, and (4) completing the eOffer/eMod Certification and Accreditation\n(C&A) and other security controls.\n\n\n\n\n                                                iii\n\x0c                     REVIEW OF EOFFER/EMOD, GSA\xe2\x80\x99S ELECTRONIC\n                   CONTRACT PROPOSAL AND MODIFICATION SYSTEM\n                         REPORT NUMBER A060149/Q/T/P07002\n\n\n                                          INTRODUCTION\n\nThe General Services Administration (GSA) has recognized a complete paperless solicitation-\ncontracting environment as one of its business goals. In May and July of Fiscal Year (FY) 2004,\nGSA Federal Supply Service (FSS) launched eOffer/eMod as a component of the FSS-19\nsystem. eOffer/eMod are Internet web-based applications that allow companies to electronically\nprepare and submit multiple award schedule (MAS) contract proposals (offers) and current\ncontract holders to prepare and submit contract modifications. These web applications were\ndeveloped as part of a task order for the FSS-19 system under an existing Applications\nMaintenance and Enhancements Blanket Purchase Agreement with Unisys.                 Vendors are\nrequired to have a digital certificate to use eOffer/eMod, which enables the system to produce an\nelectronic signature to create a legally binding contract agreement. eOffer/eMod utilizes a step-\nby-step procedure to ensure that offers and modifications contain information required under\nFSS solicitations. A primary objective for the eOffer system is to provide an interactive, secure\nelectronic environment that simplifies the contracting process from submission of proposal to\naward of contract and to enable a seamless transmission of data from the vendor community to\nthe Federal Acquisition Service (FAS) contracting offices. eMod allows MAS contractors to\nelectronically prepare and submit contract modifications to FAS. The intent with eMod is to\nstreamline and expedite the modification process for existing MAS contracts and to create an\nelectronic modification file.        Vendors can access both eOffer and eMod online, at\nhttp://www.eoffer.gsa.gov. Contracting officers/contract specialists (contract professionals)\naccess and review electronic offers (e-offers) and modifications (e-mods) submitted by vendors\nvia the FSS-19 system. While all GSA acquisition centers can modify existing MAS contracts\nwith data provided through e-mods, currently only three GSA acquisition centers accept e-offers\nfrom vendors. The centers that accept e-offers include: the IT Acquisition Center - Arlington,\nVA; the Services Acquisition Center - Arlington, VA; and the Management Services Center -\nAuburn, WA.\n\nThe E-Government Act of 2002 requires Federal agencies to implement electronic signature\ncapability for secure electronic transactions with the government. The Federal E-Authentication\ninitiative is intended to provide the critical service of determining that individuals are who they\nclaim to be when conducting electronic transactions with the Federal Government by leveraging\nexisting identity credentials. The establishment of the E-Authentication initiative is intended to\nhelp minimize redundant solutions across government for the verification of identity and\nelectronic signature requirements for electronic transactions. eOffer/eMod is the first application\nof the Federal E-Authentication initiative within GSA. The GSA Office of Inspector General\ncompleted a review of the E-Authentication initiative in FY 20042. We also included\n\n\n\n2\n Review of Federal Technology Service E-Authentication Initiative Report Number A040039/O/T/F04018,\nSeptember 30, 2004.\n\n\n                                                     1\n\x0ceOffer/eMod in our FY 20053 annual evaluation of IT security controls required for the Federal\nInformation Security Management Act (FISMA) review. A timeline of other select eOffer/eMod\nrelated activities is provided in Appendix A.\n\nObjectives, Scope, and Methodology\n\nOur overall objective for this review was to determine: Are eOffer/eMod realizing expected\nbenefits, including delivery of functional, managerial, and user requirements for the system?\nHave sufficient security controls been designed and implemented with eOffer/eMod? If not,\nwhat improvements are needed to better manage risk with the system?\n\nWe interviewed senior management officials within FAS/FSS and analyzed key documentation\nfor the FSS-19 system and for eOffer/eMod. We met with and obtained information from the\nFAS Chief Information Officer (CIO); the Director of the Contract Management Center; Unisys\nProject Manager for eOffer/eMod; GSA Project Manager for eOffer/eMod; the Division Director\nof the Systems Management Center; eOffer/eMod helpdesk personnel in the Systems Support\nDivision; the Deputy Program Manager - E-Authentication in the Office of the Commissioner;\nthe Senior Assistant General Counsel of the Personal Property Division; the Information System\nSecurity Manager for eOffer/eMod; and the Information System Security Officer for\neOffer/eMod. We also interviewed 16 contract professionals at three acquisition centers that\nsupport MAS contracts through eOffer: the IT Acquisition Center \xe2\x80\x93 Arlington, VA; Services\nAcquisition Center \xe2\x80\x93 Arlington, VA; and Management Services Center \xe2\x80\x93 Auburn, WA.\n\nWe also reviewed the eOffer/eMod website, system user guides, and training materials to gain an\nunderstanding of the applications. We obtained user views on eOffer/eMod by reviewing user\nsatisfaction surveys completed by eOffer/eMod vendors and internal eOffer/eMod surveys\ncompleted by contract professionals within FSS. We analyzed FY 2004-2007 Exhibit 300\nbusiness cases for the FSS-19 system that included eOffer/eMod. We analyzed the eOffer\nSystem Security Plan, dated April 2004 and the FSS-19 Certification and Accreditation package,\ndated June 2004. We analyzed the FSS Applications Maintenance and Enhancements Blanket\nPurchase Agreement under which eOffer/eMod were developed. We also analyzed cycle times\nfor award processing times and number of electronic offers and modifications. We performed a\nlimited scope assessment of web application security controls for eOffer/eMod during this audit\nto determine the adequacy of remediation of publicly disclosed vulnerabilities.\n\nWe considered applicable Federal laws, regulations, and policies including: Office of\nManagement and Budget (OMB) Circular No. A-130, Appendix III, Security of Federal\nAutomated Information Resources, revised November 2000; OMB Circular No. A-11, Part 7,\nPlanning, Budgeting, Acquisition, and Management of Capital Assets, June 2005; the GSA\nInformation Technology (IT) Security Policy, CIO P 2100.1C, February 2006; National Institute\nof Standards and Technology (NIST) Special Publication 800-18, Guide for Developing Security\nPlans for Information Technology Systems, February 2006; NIST Special Publication 800-53,\nRecommended Security Controls for Federal Information Systems, February 2005; GSA\nInformation Technology (IT) Capital Planning and Investment Control, CIO 2135.1, June 2002;\n\n3\n FY 2005 Office of Inspector General FISMA Review of GSA\xe2\x80\x99s Information Technology Security Program Report\nNumber A050174/O/T/F05024, September 21, 2005.\n\n\n                                                    2\n\x0cGSA Information Technology (IT) Capital Planning and Investment Control, CIO 2135.2A,\nSeptember 2006; the Government Performance Results Act of 1993; the e-Government Act of\n2002; the Government Paperwork Elimination Act, October 1998; the Paperwork Reduction Act\nof 1995; and applicable Federal Acquisition Regulations and General Services Acquisition\nManual (GSAM) regulations.\n\nWe performed our audit work between March 2006 and October 2006 in accordance with\ngenerally accepted government auditing standards. The audit was managed under an integrated\naudit approach being piloted by the Information Technology (IT) Audit Office (JA-T) and the\nAcquisition Program Audit Office (JA-A). Audit work was primarily performed at FSS\nheadquarters in Arlington, Virginia.\n\n\n\n\n                                             3\n\x0c                                    RESULTS OF AUDIT\n\nThe eOffer/eMod web applications were initiated in FY 2004 as a paperless means to streamline\nGSA\xe2\x80\x99s contract award and modification process in support of GSA\xe2\x80\x99s schedules program.\nHowever, both proposals and modification requests for MAS contracts are still primarily being\nsubmitted on paper rather than electronically through eOffer/eMod. Though the number of\nelectronic offers and modifications submitted by vendors has increased over the last three years,\noverall utilization rates for these two important web applications remain low. One of the goals\nfor eOffer is to reduce the amount of time involved in making contract awards. Contrary to\nexpected system benefits associated with streamlined contract award processes, contract awards\nmade on electronic offers are taking longer to process than awards made on paper offers.\nCurrently, justification and important planning information for eOffer/eMod is contained in the\nFY 2004-2007 Exhibit 300 business cases for the FSS-19 system. However, specific\nperformance measures for eOffer/eMod needed to assess customer satisfaction or overall system\nperformance have not been established. Our review found that specific web application security\nrisks were not adequately considered prior to system deployment. While specific technical\nsecurity controls have improved, security management for eOffer/eMod needs to be strengthened\nin response to the reported security vulnerabilities. Specifically, a comprehensive Certification\nand Accreditation (C&A) process for eOffer/eMod and e-authentication risk assessment\nactivities are not yet completed. Immediate attention to each of these risk areas is needed to\nimprove usage rates, system functionality, and security for system resources, including sensitive\ndata maintained in eOffer/eMod. Taking necessary and important steps to ensure improvements\nwith eOffer/eMod at this time is critical to assist GSA in ongoing efforts to reduce contract\naward cycle times for the MAS program.\n\nUtilization of eOffer/eMod Remains Low\n\nAlthough GSA has implemented eOffer/eMod as the paperless means to streamline the contract\naward and modification process, most MAS proposals and modification requests are still being\nsubmitted on paper rather than electronically, through these web-based applications as expected.\nGSA has spent over $10 million to develop and maintain eOffer/eMod over the last three years.\neOffer is available for use by vendors for only five out of 42 total Multiple Award Schedules:\nSchedule 70 (IT Solutions), Schedule 520 (Financial and Business Solutions), Schedule 541\n(Advertising and Integrated Marketing Solutions), Schedule 871 (Professional Engineering\nServices), and Schedule 874 (Mission Oriented Business Integrated Services). Though the\nnumber of electronic offers and modifications submitted by vendors has increased, overall\nsystem utilization rates remain low due to lack of acceptance by contracting professionals and\nweak incentives to encourage vendors to submit electronic offers and modifications for schedules\ncontracts through eOffer/eMod. The following graphs illustrate the utilization rates for\neOffer/eMod for FY\xe2\x80\x99s 2004, 2005, and 2006:\n\n\n\n\n                                               4\n\x0c                                   Graph A: Utilization Rates of eOffer vs. Paper MAS Contract Offers*\n\n\n                                   3000\n\n\n                                   2500\n       Number of Offers Received\n\n\n\n\n                                   2000\n                                                                                                    Electronic\n                                   1500                                                             Offers\n                                                                                                    Paper Offers\n                                   1000\n\n\n                                    500\n\n\n                                      0\n                                           FY 04**       FY 05         FY 06\n                                    *For select schedules utilizing eOffer\n                                    **FY 04 data represents May-September 2004\n\n\n\n\nAlthough the number of electronic offers through eOffer has increased steadily over the last three\nyears, on average, electronic offers comprise only 9% of all offers received since May 2004.\nGraph A illustrates a comparison of paper and electronic offers received by the three GSA\nacquisition centers that receive electronic offers through eOffer. While GSA intended to have\neOffer available for six more schedules by December 2006, a plan is not yet in place as to when\nall 42 schedules will be available. According to FAS management, adding more schedules to\neOffer has been delayed due to a shift in priorities and resources resulting from GSA\'s plan to\nexpedite the MAS program contract award process. Not having all schedules available on eOffer\nmay be deterring vendors from conducting business with the government through electronic\ntransactions. In order to improve electronic submission of offers for the MAS program, FAS\nplans to provide a total end-to-end electronic contracting process through implementation of the\nSolicitation Writing System (SWS) within the FSS-19 environment. A July 2005 business case\nanalysis performed for the upcoming SWS stated that a favorable return on investment from the\nFSS investment in eOffer has not been realized since eOffer cannot receive offers electronically\nfor all the solicitations. SWS is intended to support the President\xe2\x80\x99s Management Agenda by\nsupporting the use of eBusiness technologies.            This new electronic process requires\nstandardization and automation of the solicitation component of the acquisition system to be able\nto promote the integration of solicitation information between relevant existing acquisition\nsystem modules, which includes eOffer. If successful, SWS would improve the supply chain\nprocess by affording the federal agencies a faster receipt of goods and services in a more timely\nand efficient manner by increasing the vendor responses via eOffer. With the utilization rates\nbeing low and only five schedules available on eOffer thus far, GSA may not be realizing\nenough benefit from eOffer to justify the cost.\n\n\n\n\n                                                                                 5\n\x0c                                              Graph B: Utilization Rates of eMod vs. Paper MAS Contract Modifications\n\n\n                                             50000\n          Number of Modifications Received   45000\n                                             40000\n                                             35000\n                                             30000\n                                                                                                     Electronic\n                                             25000\n                                                                                                     Modifications\n                                             20000\n                                                                                                     Paper\n                                             15000\n                                                                                                     Modifications\n                                             10000\n                                              5000\n                                                 0\n                                                     FY 04*    FY 05     FY 06\n                            *FY 04 Data represents July-September 2004\n\n\nUtilization rates for eMod remain low and have not kept pace with the increase in contract\nmodifications. While eOffer is available on a limited number of schedules, eMod is available for\nuse on all schedules. A careful analysis of implementation shortfalls for eMod is needed to close\nthe gap between electronic vs. paper MAS contract modifications. Although the number of\nelectronic modifications for existing MAS contracts has increased over the last three years, on\naverage, electronic modifications comprise only 4.5% of all modifications received since the\nimplementation of eMod. Graph B shows a comparison of paper and electronic modifications\nreceived from July 2004 through FY 2006 at ten acquisition centers that process electronic\nmodifications submitted by vendors via eMod.\n\nThough there has been an increase in the number of electronic offers and modifications\nsubmitted by vendors since the system has been online, electronic offers and modifications\ncontinue to represent a low percentage of overall offers and contract modifications received.\nInterviews with 16 contract professionals and results of a FSS survey of contracting officers\nconducted in October and November of 2005 indicate that contract professionals may not be\nencouraging vendors to use eOffer/eMod. Lack of buy-in was apparent during our interviews\nwith contract professionals and some contract professionals stated that having incentives to\npromote the use of eOffer/eMod would help them encourage the use of the applications by\nvendors. According to the FY 2006 FSS-19 business case, an additional benefit of eOffer/eMod\nis potential cost savings for other agencies as a result of more vendor choices and thus increased\ncompetition leading to better pricing.          Further, eOffer/eMod supports the President\xe2\x80\x99s\nManagement Agenda Financial Management Goal and was to result in cost savings realized by\nthe Government through the streamlining of the contract award process. Although eOffer/eMod\ndoes streamline the contract award process, increased usage resulting from availability to more\nvendors can further aid in achieving this financial management goal.\n\n\n\n\n                                                                                 6\n\x0cReduced Time for Processing Contract Awards May Not Be Achieved with eOffer\n\nAlthough eOffer was expected to streamline the MAS contract award process, awards made on\nelectronic offers through eOffer are taking longer to process than awards selected from paper\noffers. The following data related to award processing times for electronic offers and paper\noffers demonstrates that the goal has not been met with the system. Graph C illustrates that it is\ntaking longer for contract professionals to award contracts through eOffer than it is taking to\naward contracts on traditional paper offers4. In FY 2005, the average time that it took to award\nan MAS contract with proposals submitted on paper was 119 days and the average time to award\na contract via eOffer was 126.2 days. In FY 2006, the average award time for paper offers was\n119.7 days, while the average award time for electronic offers was 154.3 days. Instead of seeing\na drop in processing times in the second full year of eOffer deployment, the average award time\nto process electronic offers has increased by 28.1 days.\n\n                                   Graph C: Average Award Times\xe2\x80\x94eOffer vs. Paper Offers\n\n\n                                   160\n                                   140\n    Average Award Time (in days)\n\n\n\n\n                                   120\n                                   100\n                                    80                                                    Paper offers awards\n                                                                                          eOffer awards\n                                    60\n                                    40\n                                    20\n                                     0\n                                           FY 05        FY 06\n\n\n\nIn October 2005, FSS conducted an eOffer survey to obtain feedback from contract professionals\nwithin the IT Acquisition Center. Thirty-two responses were received from contract\nprofessionals who had processed an e-offer. Our analysis of the survey results found that some\ncontract professionals conveyed complaints from vendors about the system, desired additional\ntraining, and wanted additional system enhancements to make the use of eOffer more seamless.\nOur interviews with contract professionals who process electronic offers also identified a need\nfor system enhancements to assist them in processing electronic offers more efficiently and\nreduce the contract award time. They conveyed that the system does not solicit enough\ninformation from vendors to allow for contract professionals to adequately evaluate the\nproposals. Some vendors submit only information that the system requires. However, eOffer\ndoes not require vendors to submit specific documentation, which contract professionals need to\n4\n Note that information on paper offers may not be as reliable as eOffer data, since it is manually entered and can be\nmanipulated.\n\n\n                                                                           7\n\x0cmake a thorough evaluation of the proposal. For instance, eOffer does not prompt the vendor to\nsubmit past performance information, the FSS schedule price list, corporate experience, and\nexecutive summaries. Because contract professionals must follow-up with vendors to request\nthis type of information, electronic offers are not being processed in a time-efficient manner.\n\nWhile feedback was solicited on the system from contract professionals during beta testing\nconducted in April 2004, some contract professionals we interviewed also stated that system\nshortfalls may have been avoided had they been more involved in the system development\nprocess. Beta testing involved having vendors submit proposals through a beta system and ten\ncontract professionals from the IT Acquisition Center participated. The contracting officers\nreviewed the documents and began mock negotiations with the contractor. The electronic\nproposals were then taken to the signature process. A contract professional who participated in\nthe beta testing stated that the tests focused on verifying whether or not the system worked, but\ndid not consider how the system supports the contract professionals with evaluating and\nprocessing MAS contract proposals. Consequently, more input from individuals that have an\nunderstanding of the procurement process could have been beneficial during system\ndevelopment and may have resulted in improved system functionality for electronic offer\nprocessing.\n\nContract professionals raised specific concerns about having difficulty retrieving information\nthat is uploaded into eOffer by the vendors. In the paper process, GSAM 504.803 prescribes a\nstandard contract file format that is used to organize contract information. Paper files are\norganized using 27 tabs to separate the documents by type. However, this organization standard\nwas not implemented with documents uploaded into eOffer. With eOffer, contracting staff can\naccess the vendor uploads that make up their proposal within the Offer Registration System\n(ORS), a module of FSS-19. Each uploaded document is a separate link and contract\nprofessionals have complained that there is no way to know what each link represents without\nhaving to click on the link and open each document individually. GSA is currently developing\nan electronic contract file that will organize contract information that is similar to the paper\nprocess format. Contract professionals we spoke with stated they would benefit by having better\norganization of the information within ORS that the vendors provide into eOffer or any future\nenhancements to the application.\n\nSystem Specific Performance Goals and Measures Needed\n\nSystem specific performance measures for assessing customer satisfaction and overall goals for\neOffer/eMod are not in place to guide needed improvements and to ensure expected benefits are\nachieved. Currently, eOffer/eMod is included in the OMB Exhibit 300 budget submission for\nthe FSS-19 system, and business cases for FY 2004 through FY 2007 state that FSS-19 supports\nthe goal of \xe2\x80\x9cOperating Efficiently and Effectively\xe2\x80\x9d by continuously enhancing automated\nprocesses, such as those in eOffer/eMod, based on improvements to the internal processes and\nuser requirements. While the FY 2006 and FY 2007 business cases include the performance\nimprovement goal to reduce cycle time to process offers and contract modifications, they are not\nsystem specific performance goals and measures sufficient to guide system operations and\n\n\n\n\n                                               8\n\x0cmaintenance decisions. OMB budget procedures5 require that agencies institute performance\nmeasures and management processes that monitor actual performance compared to expected\nresults. System performance measures are important because they can be used to measure\nprogress towards milestones in terms of cost and capability of the system and to help ensure that\nthe IT investment meets specified requirements.\n\nThe use of e-Authentication, which is an e-Gov initiative, makes the eOffer/eMod applications\nimportant and gives them high visibility. eOffer/eMod are important applications needed to\ncarry out the vision of electronic contracting at GSA. Updated GSA policy6 on IT Capital\nPlanning and Investment Control states that during budget formulation, business cases will be\nprepared for proposed major IT investments. The policy states that performance measures and\nmanagement processes that monitor and compare actual performance to planned results must be\ninstituted. High visibility applications like these should be considered major IT investments and\nshould have business cases that identify system specific performance measures and goals.\nSystem goals should be specific enough to provide the means for evaluating the system\xe2\x80\x99s\nperformance on a regular basis. For effectiveness, performance measures need to be tracked in a\nmanner that shows progress against the goal. Adequate performance measures could provide\nmanagement valuable information related to system performance and customer satisfaction.\n\nContinued Improvements Needed to Maintain System Security\n\nWeb application security controls were not adequately considered prior to the implementation of\neOffer/eMod, and system security processes and documentation needed to ensure recently\nimproved controls are maintained remain incomplete. Further, the required certification and\naccreditation process is not yet completed for these important applications and necessary e-\nAuthentication risk assessment activities have not been performed. Continued improvements in\nthese areas are needed to maintain system security and to ensure long-term success for\neOffer/eMod.\n\nKey Security Steps Not Completed\n\nImportant security controls were not adequately addressed with the Certification and\nAccreditation process completed for eOffer/eMod. Certification is a comprehensive assessment\nof the management, operational, and technical security controls for an information system.\nAccreditation is the official management decision of a senior agency official to authorize\noperation of an information system and to explicitly accept any risk to agency operations, agency\nassets, or individuals based on the implementation of an agreed-upon set of security controls.\neOffer/eMod began operations under an Interim Authority to Operate (IATO) that was\ncontingent upon key security steps to be completed within six months of the date of the letter,\nApril 2004. As part of the IATO, a System Security Plan was completed for eOffer/eMod in\nApril 2004, which indicated that rules of behavior have not been established to ensure that\nsystem users are of aware of consequences for unauthorized actions. Informing users of the\nconsequences of unauthorized access can deter malicious use of the system. In June 2004,\neOffer/eMod was included as part of the FSS-19 system Certification and Accreditation package.\n\n5\n    OMB Circular A-11, Part 7, Planning, Budgeting, Acquisition, and Management of Capital Assets, June 2005.\n6\n    GSA Information Technology (IT) Capital Planning and Investment Control, CIO 2135.2A, September 2006.\n\n\n                                                         9\n\x0cHowever, with the FSS-19 Certification and Accreditation, key security steps identified in the\neOffer/eMod IATO were not completed. For example, the FSS-19 Contingency Plan was not\nupdated to include eOffer/eMod, the FSS-19 Risk Assessment was not updated to address threats\nto eOffer/eMod, and rules of behavior have not yet been established for eOffer/eMod.\n\nAs part of our FY 2005 annual FISMA review7, we communicated specific system security\nweaknesses for eOffer/eMod to system security officials with written management\ncorrespondence conveyed in January 2006. During this timeframe a significant security incident\ndisrupted system operations for eOffer/eMod involving the unauthorized actions of a system\nuser. However, at the end of our review, the Certification and Accreditation of system security\ncontrols for eOffer/eMod had not yet been completed in accordance with Agency IT Security\nPolicy and procedures. While FAS plans to complete a separate C&A for eOffer/eMod, it is\nimportant that a process for maintaining adequate security be established quickly to ensure the\nintegrity, reliability, and availability for these important applications and to avoid potential\nsecurity incidents in the future.\n\nGSA\xe2\x80\x99s IT Security Policy requires that all information systems that allow authentication of users\nfor the purpose of conducting government business electronically must complete an e-\nAuthentication risk assessment. The Office of Management and Budget has issued guidance8 on\nhow to conduct e-Authentication risk assessments, stating that the purpose of an e-\nAuthentication risk assessment is to determine the appropriate assurance level for a system. The\nNational Institute of Security and Technology9 has developed a complementary e-Authentication\ntechnical guidance that agencies must use to identify appropriate technologies for securing\nFederal systems based on assurance levels. The first step in conducting an e-Authentication risk\nassessment is to perform a system risk assessment. However, a risk assessment has not been\ncompleted as part of a C&A for eOffer/eMod. Guidance for e-Authentication risk assessments\nfocuses on controls for authenticating users and does not directly apply to authorization controls,\nwhich focus on the actions permitted within the system after a user has been authenticated to the\nsystem. eOffer/eMod was designated at a level 3 assurance and it became the first GSA\napplication to utilize digital certificates provided through the Federal E-Authentication initiative.\nWhile level 3 may be the correct assurance level for eOffer/eMod, key security decisions, such\nas this, should be documented with a complete e-Authentication risk assessment. Management\ncontrols should be in place to ensure that all necessary security controls including provisions for\nauthenticating users and authorizing access to sensitive information contained in eOffer/eMod\nare properly documented.\n\nWeb Application Security Controls Not Adequately Considered\n\nNecessary web application security controls were not adequately considered prior to the\ndeployment of eOffer/eMod. Due to inherent risk with web applications, special security\nconsiderations are needed to protect against threats such as Cross-site Scripting and Structured\n\n7\n  FY 2005 Office of Inspector General FISMA Review of GSA\xe2\x80\x99s Information Technology Security Program Report\nNumber A050174/O/T/F05024, September 21, 2005\n8\n  OMB M-04-04 E-Authentication Guidance for Federal Agencies, December 16, 2003.\n9\n  NIST Special Publication 800-63 Electronic Authentication Guideline, April 2006.\n\n\n\n                                                    10\n\x0cQuery Language (SQL) Injection that can compromise the integrity and availability of the\nsystem, the confidentiality of data contained within the system, or exploit system users. Specific\nweb application vulnerabilities were discovered within eOffer/eMod by a system user in\nDecember 2005. This security incident resulted in eOffer/eMod being shut down for six days\nwhile the security of the system was assessed and vulnerabilities were repaired. The incident\nwas also reported to the United States Computer Emergency Readiness Team, and system\nsecurity officials have taken steps to further address the reported vulnerabilities. The FAS CIO\nhas utilized a tool for an automated source code review of eOffer/eMod that includes limited\ntesting of vulnerabilities identified in the Open Web Application Security Project (OWASP) Top\nTen Most Critical Web Application Security Vulnerabilities. Our follow-up tests of technical\ncontrols verified that the reported weaknesses have been corrected. A complete Certification and\nAccreditation would include an assessment of web application security controls, as required by\nGSA\xe2\x80\x99s IT Security Policy, and is needed to ensure that improved security is maintained as new\nrisks are introduced with system enhancements and changing cyber security threats.\n\n                                         CONCLUSION\n\nGSA has implemented eOffer/eMod as the paperless means to streamline the contract award and\nmodification process. However, most offers and modification requests are still being submitted\non paper rather than electronically through these important web applications as expected. Close\nmonitoring of usage rates for eOffer/eMod is needed to address the causes of low system\nutilization in support of GSA\xe2\x80\x99s goal is to reduce the time it takes for contractors to obtain a basic\nGSA schedule contract. Although eOffer was expected to streamline the contract award process,\ncontract awards made on electronic offers are taking longer to process than awards made on\npaper offers. Because it is taking longer to award contracts on electronic offers than it does to\naward contracts on paper offers, we believe that improvements to the eOffer system are needed\nto support contract professionals in increasing electronic offer processing.                Contract\nprofessionals have indicated that issues with system functionality have hindered their ability to\nprocess electronic offers in a timely manner. Further, specific performance measures for\neOffer/eMod needed to assess customer satisfaction and system performance have not been\nestablished. While specific technical security control weaknesses for eOffer/eMod, which\nresulted in application vulnerabilities affecting the confidentiality and integrity of the system\nhave been addressed, necessary security documentation and processes remain incomplete.\nTaking constructive steps to improve eOffer/eMod will better position GSA for success with the\nplanned SWS initiative to automate and streamline the entire MAS contract award process.\n\n\n                                    RECOMMENDATIONS\n\nWe recommend that the Commissioner, Federal Acquisition Service, with the assistance of\nappropriate personnel responsible for eOffer/eMod, take the following actions:\n\n   1. Closely analyze eOffer/eMod usage rates and develop strategies to address the causes of\n      low usage.\n\n\n\n\n                                                 11\n\x0c   2. Address system and process concerns raised by contract professionals to improve\n      electronic offer processing times and ensure that the system addresses evolving agency\n      needs and requirements.\n\n   3. Develop an eOffer/eMod business case or update the FSS-19 business case to include\n      system specific performance goals and measures for monitoring actual performance\n      compared to expected results.\n\n   4. Ensure that system security controls are maintained to include:\n         a. Completion of the eOffer/eMod Certification and Accreditation (C&A) in\n             accordance with GSA CIO IT Security Policy and procedures.\n         b. Documentation for key security decisions and processes related to the system.\n         c. Development of a proactive approach for identifying and addressing web\n             application security weaknesses.\n\n                                 MANAGEMENT RESPONSE\n\nWe met with Federal Acquisition Service (FAS) personnel responsible for eOffer/eMod,\nincluding the Director of the Contract Management Center (FXC) and the FAS Chief\nInformation Officer to discuss the results of our review and received updated information prior to\nissuing the draft report. We have also received written comments from the Commissioner of\nFAS, which are provided in Appendix B. We have carefully considered all comments provided\nby FAS with this report and the FAS Commissioner has concurred with the findings and\nrecommendations presented. Written comments provided by the FAS Commissioner indicate\nthat FAS will take actions aimed at addressing the risk areas identified for this system. Ongoing\nor planned management actions to address risks include FAS: (1) embarking on corrective\nstrategies, including monitoring use, obtaining customer feedback, and increasing employee\ntraining, (2) improving the communication process between systems personnel and the\nacquisition centers, (3) developing a business case to determine appropriate shared performance\nmeasures for eOffer/eMod, and (4) completing the eOffer/eMod Certification and Accreditation\n(C&A) and other security controls.\n\n                                   INTERNAL CONTROLS\n\n\nOur overall objective for this review was to determine: Are eOffer/eMod realizing expected\nbenefits, including delivery of functional, managerial, and user requirements for the system?\nHave sufficient security controls been designed and implemented with eOffer/eMod? If not,\nwhat improvements are needed to better manage risk with the system? We conducted a limited\nreview of internal controls for eOffer/eMod as outlined in Government Accountability Office\nstandards. We focused our review on management, operational and technical controls for\neOffer/eMod, as well as user satisfaction. The Results of Audit and Recommendations sections\nof this report state in detail the need to strengthen specific managerial, operational and technical\ncontrols with eOffer/eMod. Our review did not include a detailed analysis of all controls or\ncapabilities within eOffer/eMod.\n\n\n\n\n                                                12\n\x0c              REVIEW OF EOFFER/EMOD, GSA\xe2\x80\x99S ELECTRONIC\n            CONTRACT PROPOSAL AND MODIFICATION SYSTEM\n                  REPORT NUMBER A060149/Q/T/P07002\n\n                     eOffer/eMod Timeline of Select Activities\n\n\nJun 01    Blanket Purchase Agreement Statement of Work issued for FSS Applications\n          Maintenance and Enhancement\nJan 03    eOffer/eMod project plan developed\nJan 03    eOffer/eMod development begins\nJul 03    Requirements document for eOffer/eMod prepared\nApr 04    eOffer/eMod beta testing conducted\nApr 04    eOffer/eMod security plan released\nApr 04    Interim Approval to Operate (IATO) eOffer/eMod system in initial operating\n          capability letter signed by the FSS CIO. The letter states that eOffer/eMod can be\n          operated in Beta and initial production mode for a period of six months contingent\n          upon a list of security controls that must be implemented.\nMay 04    eOffer goes on-line\nJune 04   eOffer/eMod combined with FSS-19 Certification and Accreditation package\nJuly 04   eMod goes on-line\nAug 04    Date on the revised version of Task Order #4 \xe2\x80\x93 Order Processing Statement of\n          Work (eOffer/eMod is covered under this Task Order)\nOct 04    Implementation due date for security controls listed in the IATO letter dated April\n          04\nOct 05    User satisfaction surveys are sent out to GSA contracting officers.\nDec 05    Security flaw in eOffer reported to the GSA OIG hotline. Hotline complaint\n          alleges that the system allows unauthorized parties to view and modify corporate\n          and financial information submitted by vendors.\nJan 06    eOffer/eMod taken offline to address hotline complaint allegations\nJan 06    SecureInfo security testing report released. The report found that the security\n          vulnerabilities identified in the hotline complaint had been removed.\nOct 06    Planned implementation of the Acquisition Desktop, a tool to be used by\n          contracting officers to create/review solicitations, review offers, etc.\n\n\n\n\n                                          A-1\n\x0c  REVIEW OF EOFFER/EMOD, GSA\xe2\x80\x99S ELECTRONIC\nCONTRACT PROPOSAL AND MODIFICATION SYSTEM\n      REPORT NUMBER A060149/Q/T/P07002\n\n       GSA FAS Response to Draft Report\n\n\n\n\n                     B-1\n\x0cB-2\n\x0cB-3\n\x0c                          REVIEW OF EOFFER/EMOD, GSA\xe2\x80\x99S ELECTRONIC\n                        CONTRACT PROPOSAL AND MODIFICATION SYSTEM\n                              REPORT NUMBER A060149/Q/T/P07002\n\n                                              REPORT DISTRIBUTION\n\n                                                                                                                      Copies\n\nCommissioner, Federal Acquisition Service (Q) .............................................................3\n\nGSA Chief Information Officer (I) ..................................................................................2\n\nOffice of the Chief Information Officer (QI), Federal Acquisition Service ....................2\n\nDirector, Contract Management Center (FXC) ...............................................................2\n\n                                                                                                             Electronic Copies\n\nDirector, IT Acquisition Center (FCI) .............................................................................1\n\nDirector, Management Services Center (10FT)...............................................................1\n\nDirector, Services Acquisition Center (FCX)..................................................................1\n\nManagement Control and Audit Liaison, Program Management and\nAdministration Division (FPP) ........................................................................................1\n\nAudit Liaison, Office of the Chief Information Officer (I) .............................................1\n\nAudit Follow-up and Evaluation Branch (BECA)...........................................................1\n\nAssistant Inspector General for Auditing (JA) ................................................................1\n\nAudit Operations Staff (JAO) ..........................................................................................1\n\nAdministration and Data System Staff (JAS) ..................................................................1\n\n\n\n\n                                                                C-1\n\x0c'